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ABSTRACT 

Methods  are  presented  whereby  an  Algd-like  program,  given  together  with  Its 
specifications,  can  be  documented  automatically.  The  program  is  Incrementally  annotated 
with  invariant  relationships  that  hold  between  program  variables  at  intermediate  points  in 
the  program  and  explain  the  actual  workings  of  the  program  regardless  of  whether  the 
program  Is  correct.  Thus  this  documentation  can  be  used  for  proving  the  correctness  of 
the  program  or  may  serve  as  an  aid  in  the  debugging  of  an  incorrect  program. 

The  annotation  techniques  are  formulated  as  Hoare-llke  Inference  rules  which  derive 
invariants  from  the  assignment  statements,  from  the  control  structure  of  the  program,  or, 
heuristically,  from  suggested  invariants.  The  application  of  these  rules  Is  demonstrated 
by  two  examples  which  have  run  on  an  experimental  implementation. 
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I.  INTRODUCTION 


A convenient  form  for  expressing  many  facts  about  a program  is  a set  of  Invariant 
assertions  (invariants,  for  short)  which  detail  relationships  between  the  different  verlebles 
manipuiated  by  the  program.  Invariant  assertions  play  an  Important  role  in  many  aspects  of 
programming,  including:  proving  correctness  and  termination,  proving  Incorrectness,  guiding 
debugging,  analyzing  efficiency  and  aiding  In  optimization. 


Program  annotation  Is  the  process  of  discovering  these  invariants.  We  are  given  an 
Algol-like  program  along  with  an  output  specification  stating  the  desired  relationship  among 
the  program  variables  upon  termination,  and  an  input  specification  defining  the  set  of  Inputs 
on  which  the  program  is  intended  to  operate.  It  is,  however,  not  known  whether  or  not  the 
program  is  correct  and  satisfies  those  specifications.  Our  task  Is  to  generate  the  Invariant 
assertions  describing  the  workings  of  the  program  as  is,  independent  of  Its  correctness  or 
incorrectness. 


In  the  following  sections,  we  present  a unified  approach  to  program  annotation,  using 
annotation  rules  — In  the  style  of  Hoare  [1900]“  to  derive  Invariants.  Section  II  presents 
an  overview  of  our  approach.  It  is  followed  by  two  detailed  examples:  the  first  (Section 
III)  illustrates  the  basic  techniques  on  a single-loop  program;  the  second  (Section  IV) 
applies  the  techniques  to  a program  with  nested  loops  and  arrays.  A catalog  of  annotation 
rules  is  Included  In  the  Appendix. 


We  have  implemented  the  strategies  described  In  this  paper  in  QLISP  (Wilber  [1976]), 
which  resides  in  an  INTERLISP  environment  (Teltelman  [1974]).  The  two  examples 
presented  here  are  among  those  that  have  run  successfully  on  our  experimental  system. 
Three  earlier  annotation  systems  are: 

• the  system  described  In  Elspas  [1974],  based  mainly  upon  the  solution  of  difference 


equations; 

• VISTA  (German  [1974],  German  and  Wegbrelt  [1976]),  based  upon  the  top-down 
heuristics  of  Wegbreit  [1974];  and 

• ADI  (Tamir  [1976]),  an  Interactive  system  based  upon  the  methods  of  Katz  and  Manna 
[1976]  and  Katz  [1976]. 

Our  system,  as  described  here,  attempts  to  incorporate  and  expand  upon  those  systems 
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II.  OVERVIEW 

In  this  section,  we  first  define  some  terminology  and  then,  in  an  attempt  to  impart  the 
flavor  of  the  general  approach,  present  samples  of  each  type  of  annotation  rule. 


1.  Notation  and  Terminology 

Given  a program  with  its  specifications,  our  goal  is  to  document  the  program 
automatically  with  invariants.  If  the  program  is  correct  with  respect  to  the  specifications, 
we  would  like  the  invariants  to  provide  sufficient  information  to  prove  Its  correctness;  if 
the  program  is  incorrect,  we  would  like  information  heipful  in  determining  what  is  wrong  with 
it.  Three  types  of  invariants  wili  play  a role  in  our  discussion: 

• Global  invariants  are  relations  that  hold  at  all  places  (i.t.,  labels)  and  at  all  times  during 
the  execution  of  some  program  segment.  We  shall  write 

{ et  } in  P 

to  indicate  that  the  relation  a is  a global  invariant  in  the  program  segment  P . 

• Local  invariants  are  associated  with  specific  points  in  the  program,  and  hold  for  the 
current  values  of  the  variables  whenever  control  passes  through  the  corresponding  point. 
Thus, 

' Cl  } at  L 

meoi..  he  relation  a holds  each  time  control  Is  at  label  L . 

• Candidates  for  invariants,  also  associated  with  specific  points,  are  relations  that  are 
believed  to  be  local  invariants,  but  which  have  not  yet  been  verified.  Using  question  marks 
to  emphasize  that  these  relations  are  Just  candidates,  we  write 

{?  a 7)  at  L . 

Consider  the  following  simple  program,  meant  to  compute  the  quotient  q and 
remainder  r of  the  integer  input  values  c and  d : 
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Pjt  befin  eoauacnt  inttgtr  divUlen 

B^i  { ceN  , deN*  ) 
q:~0 
r :m  c 

loop  Lji  { ...  > 
until  r <d 
qx~  q*l 
r r-d 

repeat 

E^i  {7  q e N , qicid . cld  <q*l , r * c-q»d  7) 
and  , 


where  N is  the  set  of  natural  numbers,  and  N*  is  the  set  of  positive  integers.  We  use 
the  loop-until>repeat  oofwtruet,  to  Indicate  that  the  two  loop-body  assignments, 
q q+I  and  r :•  r-d  , are  repeated  until  the  exit  test  r <d  is  true  for  the  first  time. 
This  program  will  be  used  only  to  Illustrate  various  aspects  of  program  annotation; 
examples  of  full  annotation  are  given  in  Sections  III  and  IV. 


The  invariant 

{ e€N.  deN*  } 

attached  to  the  baf in  label  fi, . la  the  Input  specification  of  the  program  defining  the 
class  of  "legal"  inputs.  It  indicates  that  whenever  computation  starts  at  fi, , the  variable 
c Is  a natural  number  and  d Is  a positive  Integer.  The  Input  specification  is  assumed  to 
hold,  regardless  of  whether  the  program  is  correct  or  not.  Since  it  is  a local  invariant  at 
B, , we  refer  to  it  as 

{ ceN  , d£N*  ) at  S,  . 

The  candidate 

{7  q £ N , qicid,  cld<q*l , r ■ c-q»d  7} 

attached  to  the  end  label  £, , Is  the  output  specification  of  the  program.  It  states  that 
the  dealred  outcome  of  the  program  Is  that  q be  the  largest  integer  that  is  not  larger  than 

i 
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cld  and  r be  the  remainder.  Since  one  cannot  assume  that  the  programmer  has  rrot 
erred,  initially  all  programmer-supplied  assertions  — including  the  program's  output 
specification  — are  only  candidates  for  invariants. 


in  order  to  verify  that  a candidate  is  indeed  a iocai  invariant,  we  must  show  that 
whenever  control  reaches  the  corresponding  point,  the  candidate  holds.  Suppose  that  we 
are  given  a candidate  for  a loop  Invariant 

{?  r = c-q'd  ?)  at  L,  . 

To  prove  that  it  is  an  invariant,  one  must  show  that  the  reiation  holds  at  when  the  loop 
is  first  entered,  and  that  once  it  hoids  at  , it  remains  true  each  subsequent  time  control 
returns  to  L, . If  we  succeed,  then  we  would  write 

{ r * c-q>d  > at  . 

Furthermore,  if  r b c-q'd  holds  whenever  control  is  at  L, , then  it  will  also  hold  whenever 
control  leaves  the  loop  and  reaches  £, . In  other  words,  r ■ c-q*d  would  also  be  an 
invariant  at  £, , and  may  be  removed  from  the  list  of  candidates  at  £, . In  that  case,  we 
would  write 

{7  q € N , q s cld  . cld  < q+I  7}  and  { r = c-q'd  } at  £j  . 


Global  invariants  often  express  the  range  of  variables.  For  example,  since  the 
variable  q is  first  initialized  to  zero  and  is  subsequently  incremented  by  ones,  it  is  obvious 
that  the  value  of  q is  always  a natural  number.  Thus  we  have  the  global  invariant 

{ q^N  } in  />. 

which  relates  to  the  program  as  a whole,  and  states  that  q e N throughout  execution  of 
the  program  segment  P, . 


In  this  paper,  we  describe  various  annotation  techniques.  These  techniques  are 
expressed  as  rules:  the  antecedents  of  each  rule  are  usually  annotated  program 
segments,  containing  Invariants  or  candidate  Invariants,  and  the  consequent  is  either  an 
invariant  or  a candidate.  We  list  about  forty  such  rules  in  the  Appendix;  they  are 
numbered  <1>,  <2>,  etc.  This  list  is  representative  of  the  kinds  of  rules  that  may  be 
used  for  annotation;  it  is  not,  however,  meant  to  be  a complete  list.  Not  only  are  these 
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rules  useful  for  automatlo  annotation,  but  they  may  also  help  clarify  the  relationships 
between  program  text  and  Invariants  for  the  human  programmer. 


We  differentiate  between  three  types  of  ruies:  assignment  rules,  control  rules  and 
heuristic  rules. 

e Assignment  rules  yield  global  invariants  based  only  upon  the  assignment  statements  of 
the  program. 

• Control  rules  yield  local  invariants  based  upon  the  control  structure  of  the  program. 

• Heuristic  rules  have  candidates  as  their  consequents.  These  candidates,  though 
promising,  are  not  guaranteed  to  be  Invariants. 

The  assignment  and  control  rules  are  algorithmic  in  the  sense  that  they  derive  relations  in 
such  a manner  as  to  guarantee  that  they  are  invariants.  The  heuristics  are  rules  of  plausible 
inference,  reflecting  common  programming  practice. 


2.  Assignment  Holes 


Many  of  the  algorithmic  rules  depend  only  upon  the  assignment  statements  of  the 
program  and  not  upon  Its  control  structure.  In  other  words,  whether  the  assignments 
appear  within  an  iterative  or  recursive  loop  or  on  some  branch  of  a conditional  statement  is 
irrelevant.  Since  the  location  and  order  in  which  the  assignments  are  executed  does  not 
affect  the  validity  of  the  rules,  these  rules  yield  global  invariants. 


The  various  assignment  rules  relate  to  particular  operators  occurring  in  the  assignment 
statements  of  the  program.  Soma  of  the  ruies  for  addition,  for  example,  are:  an  addition 
rule,  which  gives  the  range  of  a variable  which  Is  updated  by  adding  (or  subtracting)  a 
constant;  a set-addition  rule  for  the  case  where  the  variable  Is  added  to  another  variable 
whose  range  is  already  IcfKWvn;  and  an  addition-relation  rule  which  relates  two  variables 
that  are  always  incremented  by  similar  expressions.  Corresponding  rules  apply  to  other 
operators. 


In  dealing  with  sets,  we  find  the  following  notation  convenient:  The  set  of  elements 
/(j, , j, , ...  , sj  such  that  s 5, , J,  c 5, , ....  e 5^  - where  / Is  any  expression 

and  miO  — Is  denoted  by  /(S,  ,5, 5^).  For  example,  since  Al  denotes  the  set  of 

natural  numbers,  the  set  /(H  , H)  ■ e,+Af*c,''  contains  all  slemsnts  o,+m*o,"  such  that  m 
and  n are  natural  numbers. 
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Using  this  notation,  we  have  the  addition  rule  <i> 

X o,  I x+a,  I x+flj  | ...  In  P 

{ X € Oj+a,*A/+aj»A/+  . . . ) In  P , 

where  P Is  a program  segment  and  the  expressions  a^  are  of  constant  value  within  P . 
The  antecedent 

X tt,,  I x+a,  I x+Oj  | ...  In  P 

indicates  that  the  only  assignments  to  the  variable  x in  P are  x :>  a, , x x-t-a,  , 
X x-t-a, , etc.  The  consequent 

{ X € a,+a,*A/+o,*A/+  . . . } in  P 

is  a global  invariant  indicating  that  x belongs  to  the  set  . . . throughout 

execution  of  P — but  only  from  the  point  when  x first  receives  a defined  value  in  P . 
[After  any  execution  of  * i clearly  x e Oj+o,*//+a,*N+ . . . with 
X » a„+a,*0+a,*{)+  . . . , and  if  x = aj+a,*m+aj»n+  ...  for  some  m , n , ...  before 

executing  x x*a^ , then  x ■ . . . after  executing  the  assignment. 

Thus,  m represents  the  number  of  executions  of  x x+a,  since  x a,  was  executed 
last,  n is  the  number  of  executions  of  x x+a, , etc.]  From  such  an  invariant,  more 
specific  properties  may  be  derived.  For  example  a bound  on  x may  be  derived  using 
methods  of  interval  arithmetic  (see,  e.g.,  Gibb  [1961]).  Note  that  no  restrictions  are  placed 
on  the  order  in  which  the  assignments  to  x are  executed,  except  that  prior  to  the  first 
execution  of  x :>  a, , the  invariant  may  not  hold. 

In  our  simple  program  P, , the  assignments  to  the  variable  q are 
q 0 q :»  q+l  . 

So  we  can  apply  the  addition  rule,  letting  a^~0  and  a,  = / , and  obtain  the  global  invariant 
q e 0+hN  , i.e., 

{ qeN  } in  P,  . 


The  assignments  to  r in  P,  are 
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r :■  c r :»  r-d  . 

Applying  the  aame  rule  to  them,  letting  a,  ■ c and  e,  ■ -d  , yield*  the  invariant 
{re  c-d*N  ) In  P,  . 

Given  that  d is  positive,  we  may  conclude  that  tic. 


The  set-addition  rule  Is  a more  general  form  of  the  above  addition  rule,  applicable  to 
nondeterministic  assignments  of  the  form  x :e/(5) , where  an  arbitrary  element  of  f{S)  is 
assigned  to  x . Note  that  an  assignment  x > /(j) , where  it  is  only  known  that  s e.  S , 
may  bo  viewed  as  the  nondeterministic  assignment  x :e/(5) . The  set-addition  rule  <6>  Is 

X :€  5,  I x+S,  I x+Sj  I ...  In  P 
{ X € J,+2S,+SS,+  . . . } in  P , 

where  Z5  denotes  the  set  of  sums  s,+s^+  • • • ■•■r,,,  for  (not  necessarily  distinct)  addends 
s^  in  5 . If  m = 0 , the  sum  is  0 \\i  S contains  the  single  element  s , then  S5  » S‘N  . 

(This  rule  applies  analogously  to  any  associative  and  commutative  operator  "®".)  These 
assignment  rules  for  globsl  invariants  are  related  to  the  weak  interpretation  method  of 
SIntzoff  [1972]  (see  also  Wegbrelt  [1976]  and  Harrison  [1977])  which  has  been 
implemented  by  Scherlis  [1974]. 


In  our  program  P, , the  assignments  to  r were 
r c r :■  r-d  . 

Since  we  are  given  that  e £ N and  d c AT** , we  may  view  these  as  the  nondeterministic 
assignments 

r :€  A/  r :€  r-N*  . 

and  by  applying  the  set-addition  rule,  we  obtain  the  global  Invariant  r e N-'ZN*  . This 
simplifies  to 

{re/}  In  P,  , 

where  t is  the  set  of  aii  integers. 
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To  relate  different  variables  appearing  in  a program,  we  have  an  addition-relation  rule 
<11>: 

(x  , y)  ;m  (a^ , b^)  \ (x+a,*u  , 31+6, ‘u)  | (x+a,‘i; , y*b,'v)  | . . . in  P 
{ a,-(3)-6,)  = 6,-(x-a,)  ) in  P , 

where  u , v , ....  are  arbitrary  (not  necessarily  constant)  expressions.  The  invariant 
begins  to  hold  when  the  multiple  assignment  (x  , y)  :•  (a, , b^)  has  been  executed  for  the 
first  time.  [The  invariant  a,‘(y-b^)  - 6,*(x-a„)  cleariy  hoids  when  x = and  y * b^  . 
Assuming  it  holds  before  executing  (x  ,y)  {x-¥a^-u  ,y-¥b^'u)  , then  after  executing  the 

assignment,  both  sides  of  the  equality  are  increased  by  , and  the  invariant  ^tiil 

holds.]  The  multiple  assignments  in  the  antecedent  of  the  rule,  e.g., 
(x  , y)  (x4a,*u  , y+b^'u)  , may  represent  the  cumulative  effect  of  individual  assignments 
iying  on  a path  between  two  labeis,  with  the  understanding  that  whenever  x X4a,*u  is 
executed,  so  is  y for  the  same  value  of  the  expression  u . in  that  case,  the 

invariant  will  not,  in  general,  hold  between  the  individual  assignments. 

In  our  example,  the  assignments  in  the  initialization  path  give  us 
iq  , r)  (0  ,c)  , 

and  for  the  loop-body  path  we  have 
(q  , r)  (q-t-J , r-d)  . 

By  a simple  application  of  the  addition-relation  rule  with  a,  = 0,  b^-c  , a^  - u - v - I , and 
b^  - -d  , we  derive  the  invariant  h(r-c)  - -d*{q-0) , which  simplifies  to 

{ r = c-q>d  > in  P,  . 

We  note  that  this  addition-relation  rule  (as  well  as  several  other  relation  rules  in  the 
Appendix)  may  be  derived  from  the  following  general  relation-rule  schema: 


(x,y):~  (a^,bj  I (x®(u®a,) , 3)®(u®6,))  | (x®(«®a,) , 3)®(i;®6,))  j ...  in  P 
{ (tt„®i»,)®(3>®a,)  ■ (x96,)®(6,®a,)  ) in  P , 
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where  the  operator  9 Is  commutative  and  associative,  operator  9 satisfies 
(a9b)9c  > (a9c)9b  , and  {a9b)9c  • (a9e)9((9e) . (These  relation  rules  are  related  to  the 
approach  In  Caplain  [1076].) 

Before  turning  to  the  control  rules,  we  mention  an  additional  useful  technique:  the 
augmentation  of  a program  with  counters.  For  example,  by  Initializing  a counter  to  zero 
upon  entering  a loop  and  Incrementing  it  by  one  with  each  Iteration,  the  value  of  the 
counter  will  indicate  the  number  of  times  that  the  loop  has  been  executed.  Then  relations 
between  the  program  variables  and  the  counter  can  be  found.  (The  variable  ^ serves  a 
loop  counter  in  the  example  program  P, .)  By  deriving  upper/lower  bounds  on  the  counter 
upon  loop  exit,  the  termination  of  the  loop  may  be  proved  and  time  complexity  analyzed. 
Loop  counters  may  also  be  used  to  discover  relations  between  variables  by  solving 
first-order  difference  equations  (sea,  t.g.,  Elspas  [1074]  and  Katz  and  Manna  [1076]). 


3.  Control  Rules 


Unlike  the  previous  rules  which  completely  Ignore  the  control  structure  of  the  program, 
there  are  also  controi  rules  that  derive  Important  invariants  from  the  program  structure. 
(They  are  related  to  the  verification  rules  of  Hoars  [1060].)  For  example,  the  forward 
loop-exit  rule  <31>, 

loop  P' 

{ « > 
until  t 

Ui 

pn 

repeat 

V'l 

{a,  -f  ) at  L' 

{ a.  f ) at  L"  , 

reflects  the  fact  that  if  a loop  Is  exited  and  control  is  at  L"  , then  the  exit  test  t must 
have  Just  held,  while  if  the  loop  is  continued  at  L' , the  exit  test  was  false.  Furthermore, 
any  relation  a that  held  Just  prior  to  the  test,  also  holds  Immediately  after.  The  forward 
loop-body  rule  <29>, 
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{ « > 
loop  Li 
P 

{ -8  ) 

~epeat 

{ a V (5  ) at  L . 

states  that  for  control  to  be  at  the  head  of  a loop,  at  L , either  the  loop  has  just  been 
entered,  or  the  loop  body  has  been  executed  and  the  loop  is  being  repeated.  Therefore 
the  disjunction  a V (8  of  an  invariant  a known  to  hold  just  before  the  loop  with  an 
invariant  0 known  to  hoid  at  the  end  of  the  loop  body,  must  hold  at  L . 


Applying  the  first  rule  to  the  loop  in  the  integer-division  program  , yields  the 
invariant  r <d  at  £, , and  r i d et  the  head  of  the  loop  body: 

q:.0 

r c 

loop  L,: 

until  r <d 

{ ) 

? g+/ 

r r-d 

repeat 

£,:  { r < d ) . 


To  propagate  invariants,  such  as  rid  , past  assignment  statements,  we  have  a 
forward  assignment  rule  <21>, 

{ a(3C  ,y)  ) 

X :-/(x  ,y) 

Li 

{ alf^ix  ,y)  ,y)  ) at  L , 


where  f is  the  inverse  of  the  function  / in  the  first  argument,  i.e.,  f~{f(x  ,>),>)»*.  In 
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our  example,  since  the  first  loop-body  assignment  q q*l  does  not  affect  any  variable 
appearing  in  the  Invariant  r id  , the  invariant  is  pushed  forward  unchanged.  To  propagate 
rid  past  the  second  assignment,  r r-d  , we  replace  r by  the  inverse  of  r-d  , that  is 
r+d  , yielding  r+did  , or 

{ } . 

at  the  end  of  the  loop  body. 


The  assignmtnt  axiom  <18>. 

X a 
{ x«a  ) 

(the  expression  a may  not  contain  x ),  gives  us  the  invariant 

{ ) 

prior  to  entering  the  loop.  Thus,  by  the  forward  loop-body  nUo  <89>,  we  get  the  loop 
invariant 

{r-eWriO}  atL,  . 

Since,  by  the  Input  specification  0 s c , the  first  disjunct  is  subsumed  by  the  second,  If 
the  first  disjunct  Is  true,  then  the  second  must  also  hold,  and  the  invariant  simplifies  to 

{ no  } at  L,  . 


To  generate  invariants  from  conditional  statements,  we  have  a forward  test  rule  <26>: 
{ « > 

if  t then  L's  ; P' 
else  L":  ; P" 
fi 

{ a , t } at  L' 

{ a , if  ) at  L" 


That  is,  for  the  then  branch  to  be  taken  f must  be  true,  while  for  the  else  branch  to  be 
taken  It  must  be  false.  And  anything  that  held  before  the  teat,  holds  after. 
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To  Illustrate  the  control  rules,  consider  the  following  single-loop,  single-conditional, 
program  schema: 


P*i  begin 

z :m  c 

loop  L*:  { ...  ) 
until  t(x) 

z :-/(*) 

if  j(z)  then  z j'(z)  else  z A(z)  fi 
repeat 

end  . 


We  shall  assume  that  the  Inverse  functions  f~  , g~  and  A~  are  available  whenever 
required  by  the  rules. 


The  assignment  axiom  <18>,  when  applied  to  the  initial  assignment  z c , yields  the 
invariant 

{ z-c  } 

before  the  loop.  The /orward  foo^-rxtf  ru/r  <31  > generates  the  invariant  -t(z)  at  the  head 
of  the  loop  body,  immediately  after  the  until  clause,  and  then  the  forward  assignment  rule 

<21>  gives  -'tlf'iz))  preceding  the  conditional.  So  far  we  have  the  loop  body 

until  t(z) 
z :-/(z) 

{ -f(r(z))  > 

if  s(z)  then  z :■  g(x)  else  z ;•  A(z)  fi  . 

The  forward  test  rule  <26>  propagates  that  invariant  forward  and  adds  j(z)  at  the  head  of 
the  then  clause  of  the  conditional,  and  -j(z)  at  the  head  of  the  else  clause: 

if  i(z)  then  { ^ };  z f(z) 

else  { -'fy(z))  A -i(z)  };  z :-  A(z) 

fi  . 

By  pushing  -'t(f~(z))  and  i(z)  through  the  then -branch  assignment  z g(,z)  , and 
-t{/^(z))  and  -j(z)  through  the  else  -branch  assignment  z :•  A(z) , we  get 
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if  5(*)  then  X f(z)j  { A j(g^(z))  ) 

else  z A(z);  { -rV“(r(z)))  A -j(r(z))  ) 
fi  . 


After  a conditional  statement,  we  know  that  one  of  the  two  branches  must  have  been 
taken.  This  is  expressed  by  the  forward  branch  nU*  <27> 

if  t then  P'  I ( a ) 
else  P"  I {0  } 
fi 

Lt 

{ « V /5  ) at  L . 

Thus,  by  disjoining  the  invariants  from  the  two  different  paths,  one  gets 

{ ^ V [-rV“(r(z)))  A -j(A-(z))]  ) 

after  the  conditional,  at  the  and  of  the  loop  body. 


The  forward  loop-body  rule  <29>  expressed  the  fact  that  if  control  is  at  the  head  of  a 
loop,  either  the  loop-initialization  Invariant  or  the  loop-body  Invariant  must  hold.  Applying 
this  rule  to  our  schema 

{ 2-c  } 

loop  L*t  { ...  ) 
until  f(z) 

z fix) 

if  j(z)  than  X i-  fix)  elsa  z h(x)  fi 

j { H(r(r(*)))  /V  ^cr(*))]  v hv^wcz)))  a -z(a-(z))]  > 

I repeat  , 


we  derive  the  loop  invariant 

{ z-c  V ^ v HV“(*'(*)))A-'iW(z))]  > at  l*  . 


J 
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This  loop  invariant  embodies  two  facts  about  the  control  structure  of  this  schema; 

• exit  lemmai  Whenever  control  is  at  L*  , either  the  loop  has  Just  been  entered,  or  the 
loop-exit  test  was  false  the  last  time  around  the  loop.  That  Is, 

{ z = c V V -r(rw(*)))  > at  l*  . 

The  first  disjunct  is  the  result  of  the  initialization  path;  the  second  states  that  the  exit 

test  was  false  for  the  value  of  z when  L*  was  last  visited,  assuming  control  came  via 
the  then  path  of  the  conditional;  the  third  disjunct  says  the  same  for  the  case  when 
control  came  via  the  else  path. 

• test  lemmat  Whenever  control  Is  at  L* , either  the  loop  has  just  boon  entered,  or  the 
conditional  test  was  true  the  last  time  around  and  the  then  path  was  taken,  or  the  test 
was  false  and  the  else  path  was  taken.  That  Is, 


{ z = c V s(g-(z))  V -i(A-(z))  } at  £,=• 


The  following  forall  rule  <36>  Is  valuable  for  programs  with  universally-quantified 
output  specification.  Given  a loop  Invariant  «(*)  at  L , containing  the  Integer  variable  (or 
expression)  * and  no  other  variables,  check  If  x is  monotonically  increasing  by  one.  If  it 
is,  then  we  have  as  a loop  invariant  at  L , that  a still  holds  for  all  intermediate  values 
lying  between  the  initial  and  current  values.  That  is 

{ X = a > 

loop  L:  { a(x)  ) 

P 

{ x•x^*l  ) 

repeat 


{?  (W  € /)(e  i I i x)a{l)  7)  at  L , 

where  a is  an  Integer  expression  with  a constant  value  In  P and  Is  the  value  of  x 
when  last  at  L . (This  rule  is  similar  to  the  universal-quantification  technique  for  arrays  In 
Katz  and  Manna  [1973].)  The  rule  may  be  broadened  to  apply  when  x is  increasing  by  an 
amount  other  than  7 , or  for  a decreasing  x . Note  that  any  loop  counter  will  satisfy  the 
conditions  on  x . 


As  a simple  example,  consider  the  loop 
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i :m0 

loop  Li 

until  r(0 
i i+J 

repeat 

£i  . 

We  clearly  have  i • 0 upon  entering  the  loop,  and  I ■ If*!  at  the  end  of  the  loop  body. 
By  the  txit  lemma,  we  have 

{ < e 0 V > at  L , 

and  generalization  of  this  invariant  yloida  (V/)(0  i I S 0(1  ■ 0 V ■'{(/-/))  at  L . Simplifying, 
we  get 

{ (V/)(0  i I < ihtU)  ) at  L . 

This  invariant  may  be  pushed  forward  to  E , where  we  also  have  the  invariant  t(i) . 
Together  they  imply 

{ f B ^in  t(i)  ) at  £ . 


4.  Heuristic  Rules 


In  contrast  with  the  above  rules  which  are  algorithmic  in  the  sense  that  they  derive 
relations  that  are  guaranteed  to  be  Invariants,  there  Is  another  class  of  rules,  heuristic 
rules,  that  can  only  suggest  candidates  for  Invariants.  These  candidates  must  be  verified. 
[Since  we  have  not  Implemented  a theorem  prover,  our  system  suggests  candidates,  but 
does  not  verify  them.] 


As  an  example,  consider  the  following  disjunction  heuristic  <36> 

if  t then  £'  ; { a ) 
else  /»"  ; { d } 
fi 
Li 

{7  a , (J  7)  at  L . 
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Since  we  know  that  a holds  if  the  then  path  F'  is  taken,  while  fi  holds  if  the  else 
path  P”  is  taken,  clearly  their  disjunction  a V /S  holds  at  L in  either  case  (that  was 
expressed  in  the  forward  branch  rult  <Z7».  However,  since  in  constructing  a program,  a 
conditional  statement  is  often  used  to  achieve  the  same  relation  in  alternative  cases,  it  is 
plausible  that  a (or,  by  the  same  token,  ) may  hold  true  for  both  the  then  and  else 
paths. 


Wegbreit  [1974]  and  Katz  and  Manna  [1976]  have  suggested  a more  general  form  of 
this  heuristic  <39>: 

{ « V |8  ) at  L 
{?  o . /J  ?}  at  L . 

However,  as  they  remark,  this  heuristic  should  not  be  applied  Indlscriminantly  to  any 
disjunctive  invariant.  We  would  not,  for  example,  want  to  replace  all  occurrences  of  an 
invariant  x iO  with  the  candidates  x > 0 and  x *0  . Special  cases,  such  as  the  above 
disjunction  heuristic,  are  needed  to  indicate  where  the  strategy  is  relatively  likely  to  be 
profitable. 


As  mentioned  earlier,  the  output  specification  and  user-supplied  assertions  are  the 
Initial  set  of  candidates.  Candidates  are  propagated  over  assignment  and  conditional 
statements  using  the  same  control  rules  as  for  Invariants,  and  the  top-down  heuristic  <38>, 

{ } 

loop  F' 

L': 

until  t 
P" 

repeat 

L"i  {?  y 7) 


{7  y 7)  at  L'  , 


may  be  used  to  push  a candidate  backwards  into  a loop.  Though  t o y would  be  a 
sufficiently  strong  loop  Invariant  at  L'  to  establish  7 at  L"  upon  loop  exit,  the 
heuristic  suggests  a stronger  candidate,  7 Itself,  at  L' . Since  a necessary  condition  for 
7 to  be  an  invariant  is  that  it  hold  upon  entrance  to  the  loop,  the  antecedent  of  the  rule 
requires  the  invariant  7 before  the  loop.  If  some  fi  , rather  than  7 , is  known  at  that 
point,  then  for  the  heuristic  to  be  applied,  must  Imply  7 . 
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Returning  to  our  Integer-division  example,  the  top-down  heuristic  suggests  that  of  the 
candidates 

{7  q € N . q scid,  eld  < q*l , r « c-q'd  7)  at  £,  , 

those  which  hold  upon  entering  the  loop  — when  q "0  and  r > c — are  also  candidates  at 
L, . They  are 

{7  q e N . q s cld  , r « c-q-d  7)  at  L,  . 

The  third  candidate  at  , dd  < q*l , does  not  necessarily  hold  for  q^O  . 


Each  candidate  must  be  checked  for  invariance;  it  must  hold  for  the  loop-initialization 
path  and  must  be  maintained  true  around  the  loop.  Of  the  three  candidates  at  L, , the 

first,  q € N , and  last,  r > c-q>d , have  already  bean  shown  to  be  global  Invariants.  To 
prove  that  the  aecond,  ^ s c/d , la  a loop  Invariant  at  L, . wo  firat  try  to  ahow  that  it  la 
true  when  the  loop  Is  entered,  that 

Os  cld  . 

The  truth  of  this  condition  follows  from  the  Input  specifications.  Then  we  try  to  show  that 
if  9 £ cld  is  true  at  L, , and  assuming  that  the  loop  Is  not  exited,  then  it  holds  when 
control  returns  to  L, , 

q s cld  A rid  o q-¥l  s cld  . 

This  condition,  however,  does  not  hold.  Nevertheless,  we  can  show  that  q s eld  is  an 
invariant  by  using  other  invariants:  We  have  seen  why  r iO  and  r » c-q’d  are  ioop 
invariants  at  L, . Since  substituting  c-q^d  for  r in  nO  yieids  c-q^d  z (7  , it  foiiows  that 
q s cld  is  aiso  an  invariant  at  L, . Thus,  whiie  an  attempt  to  directly  verify  the  candidate 
q s cld  failed,  once  we  have  established  that  riO  and  r > c-q^d  are  Invariants,  we  can 
also  show  that  q s dd  is  an  invariant. 


Indeed,  In  general  there  may  be  Insufficient  Information  to  prove  that  a candidate  is 
invariant  when  it  is  first  suggested,  and  oniy  when  other  invariants  are  subsequentiy 
discovered  does  it  become  possible  to  verify  the  candidate.  Theiefore,  every  candidate 
should  be  retained  until  all  invariants  and  candidates  have  been  generated.  Unproved 
candidates  are  aiso  used  by  the  heuristics  to  generate  additional  candidates.  For 
exampie,  the  top-down  heuristic  uses  the  as  yet  unproved  candidate  V at  L"  to  generate 
the  candidate  ioop-invariant  Y at  L' . 
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Note  that  a oandidata  Invariant  must  somatimoa  ba  raplaoad  by  a atrongar  oandidata 
in  order  to  prove  Invariance.  This  is  analogous  to  other  forms  of  proof  by  induction,  where 
it  Is  often  necessary  to  strengthen  the  desired  theorem  for  a proof  to  carry  through.  The 
reason  is  that  by  strengthening  the  theorem  to  be  proved,  we  are  at  the  same  time 
strengthening  the  hypothesis  that  is  used  in  the  inductive  step.  We  could  not,  for 
example,  directly  prove  that  the  relation  (r  2 d)  V (r  > c-q-d)  is  a loop  invariant  (that  is 
the  necessary  condition  for  r > e-q»d  to  hold  after  the  loop),  since  this  candidate  Is  not 
preserved  by  the  loop,  i.«., 

[rid  V fc-q^d  ] h rid  o [ r-d  2 d V r-d  ‘ c-{q*I)-d  ] 

does  not  hold.  On  the  other  hand,  we  can  prove  that  the  stronger  relation  r ■ c-q-d  is  an 
invariant,  since  we  have  a stronger  hypothesis  on  the  left-hand  side  of  the  implication; 
that  is. 


r » c-q'd  A f 2 d o r-d  • c-(q*l)‘d 

does  hold.  Clearly,  once  we  establish  that  r ■ c~q*d  is  an  Invariant,  It  followa  that 
(r  2 d)  V (r  ■ c-q'd)  also  Is. 


Various  specific  methods  of  strengthening  candidates  have  been  discussed  in  the 
literature  (Wegbreit  [1974],  Katz  and  Manna  [1076],  Moriconi  [1074]  and  others);  they 
are  closely  related  to  methods  of  "top-down"  structured  programming.  Related  techniques 
are  used  by  Greif  and  Waldinger  [1074]  and  Suzuki  and  Ishihata  [1977].  Also  the 
candidates  that  MIsra  [1076]  and  Morris  and  Wegbreit  [1077]  derive,  using  the 
subgoai-induction  method  of  verification,  fall  into  this  class. 


In  each  of  the  following  two  sections,  we  shall  demonstrate  how  a nontrivial  program 
can  be  annotated  using  the  rules  In  the  Appendix.  These  examples  are  deliberately  taken 
from  previously  published  papers  on  program  annotation  in  order  to  demonstrate  tne  power 
of  our  approach. 
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III.  EXAMPLE:  Real-Division  Prof  ram 


Consider  the  following  program  P,  purporting  to  approximate  the  quotient  cld  of  two 
real  numbers  c and  d , where  0 ie<d  . Upon  termination,  the  variable  q should  be  no 
greater  than  the  exact  quotient,  and  the  difference  between  f and  the  quotient  must  be 
less  than  a given  positive  tolerance  « . In  other  words,  the  input  specification  is 

0 ic  <d  A 0 <€ 

and  the  output  specification  Is 

<1  i cld  A cld  < q*t  . 

The  program  is 


P,:  befin  comment  real  divUion 
B,:  ( 0 S c < d . 0 < * } 
q :•  Ot  qq  :■  0i  r :■  7|  rr  t"  d 
loop  L,i  { ...  ) 
until  r n 

if  qq+rr  s c then  q q+n  qq qq*rr  ti 
r r/2s  rr  rr/2 

repeat 

£,:  {T  qs  cld , cld  < q*€  7) 

end 


and  our  goal  is  to  find  loop  invariants  at  L,  in  order  to  verify  the  output  candidates  at 
. In  our  presentation  of  the  annotation  of  this  program,  we  first  apply  the  assignment 
rules  and  then  the  control  rules  combined  with  a heuristic  rule. 


i.  Assifnment  Rules 


As  a first  step  we  attempt  to  derive  simple  Invariants  by  Ignoring  the  control  structure 
of  the  program,  and  considering  only  the  assignment  statements.  This  will  yield  global 
Invariants  that  hold  throughout  execution. 


I 


► 


V 


( 


I 


1 
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We  first  look  for  range  invariants  by  oonaldering  all  assignments  to  esoh  variable.  For 
example,  since  the  assignments  to  r are 

r ;-  / r r/2  , 

we  can  apply  the  multiplication  rule  <£> 

* a„  I x«a,  in  P 

{ X € a,-o,^  ) \n  P . 

Taking  r for  x , / for  a,  and  112  for  a, , we  derive  the  global  invariant 

{ T € 112^  > in  P,  . (1) 

In  other  words,  r = 7/2"  for  some  natural  number  n . From  this  it  is  possible  to  derive 
lower  and  upper  bounds  on  r , i.e.,  0 < r s 1 , 

Similarly,  applying  the  multipUcation  rule  to  the  assignments  to  rr 
rr  :■  d rr  rr/2  , 

yields 

{ rr  € dl2^  ) in  P,  . (2) 

Since  we  are  given  that  d>Q  ,\X  follows  that  0 <md  . 

The  assignments  to  q are 
q 0 q q+r  . 

Since  we  know  (1)  r e 112'*  , these  assignments  may  be  interpreted  as  the 
nondeterministic  assignments 

q :€  0 q :€  q*ll2'*  . 

Using  the  set-addition  rule  <6> 

X :€  5,  I x+J,  In  P 
{ x€5,^IS,  } In  P , 


k 
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we  conclude 

{ ) In  P,  . (3) 

This  invariant  states  that  f is  a finite  sum  of  elements  of  the  form  7/2"  , where  n is 
some  natural  number.  Since  for  any  two  such  elements,  one  is  a multiple  of  the  other,  it 
follows  that  the  sum  is  of  the  form  m/2"  , where  m , n e A/  . 

From  (2)  rr  e d/2^  and  the  assignments 
qq  0 qq  qq*rr  , 
we  get  by  the  same  set-addition  rule 

{ qqed-J:il2^  ) In  />,  . (4) 

The  above  four  invariants  give  the  range  of  each  of  the  four  program  variables.  Now 
we  take  up  relations  between  pairs  of  variables  by  considering  their  respective 
assignments.  Consider,  first,  the  variables  r and  rr  . Their  assignments  are 

(r  , rr) (/  ,d)  (r , rr)  »•  ir/2 , rr/2)  . 

Each  time  one  is  halved,  so  is  the  other;  therefore,  the  proportion  between  the  Initial 
values  of  r and  rr  Is  maintained  throughout  loop  axaoutlon.  This  Is  an  Inetanoo  of  the 
multiplication-relation  rule  <12> 

(x.y):-  I (x’U^,  in  P 

{ « a,*i*y*i  ) In  P , 

yielding  r'^d’  ■ P'rr'  which  simplifies  to 

{ rr  « d*r  ) in  P,  . (6) 

The  assignments  to  q and  qq  are 

iq  , qq)  W .0)  (q  . qq)  {q*r  , qq-rrr)  . 

Using  (6)  rr  > d-r  to  substitute  for  rr  in  the  assignment  qq  qq*rr  , we  have 
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(q  , qq)  (0 .0)  (q  , qq)  (^+r  , qq^^^d^r) 

Which  is  an  instance  of  the  addition-rtlation  rult  <\\> 

(*.>)!-  («».*(,)  I (*+a,*u  in  P 

{ > In  P . 

Thus  we  have  the  global  invariant  l‘(qq-0)  » d*(q-0) , i.t., 
{ qq  = d'q  ) in  P,  . 


In  all,  we  have  established  the  following  global  invariants: 

{ rr€dl2^,  q €2112'^ . 

qq  € d'2U2^  , rr  = d-r  , qq  = d-q  } in  P,  . 


2.  Control  and  Heuristic  Rules 


i 

'i 


(6) 


So  far  we  have  derived  global  invariants  from  the  assignment  statements,  Ignoring  the  I 

control  structure  of  the  program.  We  turn  now  to  local  invariants  extracted  from  the  j 

program  structure. 

) 

i ' 

( 

By  applying  the  assignment  axiom  <18> 

X a i 

{ * = a > j 

to  the  four  assignments  at  the  beginning  of  the  program,  we  get  the  iocai  invariant  I 

i (q  .qq  .r  .rr)^{0 ,0 ,1  .d)  } 
just  prior  to  the  loop.  The  loop  axiom  <20>, 


a 


A 
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loop  P' 

until  t 
{ -t  } 

p„ 

repeat 

yields  r > e at  the  head  of  the  loop  body.  Thus  far,  we  have  the  annotated  program 
segment 


{ {q  .qq.r  ,rr)*{0 ,0  ,l  ,d)  } 

loop  L,i  { ...  ) 
until  Tit 
{ r>t  ) 

if  qq*rr  s c then  q q*ri  qq  qq+rr  fi 
r r/2;  rr  rr/2 

repeat  . 


The  conditional  statement  of  the  loop, 

if  qq+rr  s c then  q :■  j+ri  qq  !■  qq^rr  fi 
may  be  considered  as  having  an  empty  else  branch,  i.*., 

if  qq+rr  s c then  q q+r;  qq  qq+rr  else  fi  . 
So  we  apply  tt\e  forward  test  rule  <26>, 

{ « } 

if  t then  L'l  t P' 
else  L":  ; P" 
fi 

{ «,  r > at  L' 

{ a . -f  > at  L"  , 


obtaining,  thereby. 


r 
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if  qq+rr  s c then  { r > e , qq+rr  sc  );  q j+r;  qq  qq*rr 

else  { r > e . c < gq-^rr  } \ 

■ . I 

I 

Using  the  forward  assignment  rule  <21>,  \ 

i 

j 

{ etiu.y)  ) 

X u I 

L: 

{ aCx.y)  } at  L , 

where  x does  not  appear  in  aU  ,y) , the  assignments  of  the  then  branch  transform  the 
invariant  qq+rr  < c into  qq  s c and  ieave  r > e unchanged.  We  obtain 

if  qq*rr  s c then  q j+r;  qq  :■  qq+rr;  {r>e,qqsc} 
else  { r > c , c < qq+rr  } 
fi  . 


We  may  now  appiy  the  forward  branch  rule  <27> 

if  i then  P'  ;{  a } 
else  P"  ;{  0 } 
fi 

Lt 

{ o V |5  ) at  L . 

This  ruie  disjoins  the  two  possibie  outcomes  Of  the  conditionai,  and  we  obtain  the  invariant 
{ (r  > e ^qq  i c)  V (r>cAc<  qq+rr)  ) . 

The  invariant  simpiifies  to  Just 

{ »•><  > . 

since  r > < appears  in  both  disjuncts  whiie  qq  i c W c < qq+rr  is  a tautology  (if  the  first 
disjunct  is  false,  then  qq  > c , and  since  rr  is  positive,  qq+rr  > c is  implied). 


However,  the  disjunction  heuristic 
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if  t tlxen  /»';{«} 

•1J«  P"  ;{  /I  } 

fl 

Li 

{7  a.  |8  7}  an 

suggests  that  each  of  the  two  invariants,  qqsc  and  c < qq+rr  , may  itself  be  an  Invariant. 
So  we  have 

i r > e } and  {7  qq  s c , c<  qq*rr  7} 
following  the  conditional  and  preceding  the  assignments 
r rl2;  rr  rr/2  . 

By  further  application  of  the  forward  assignmnt  rvi*  to  the  one  invariant  and  the  two 
candidates,  we  get 

{ 2'r  > t ) and  {7  qq  i c , c < qq-t-2’rr  7} 
at  the  end  of  the  loop.  So  far  we  have  the  annotated  loop: 

( (g  .n  .r  ,rr)  » (0 .0 ,1  ,d)  } 

loop  L,:  { ...  ) 
until  r i t 

if  qq+rr  s c then  q !■  qq  :■  qq^rr  fi 

r r/2j  rr  :■  rr/2 

{ 2'r  >$}  {7  qqic , c<  qq*2>rr  7} 

repeat  . 


Finally,  by  applying  the  forward  loop-body  rul*  <29>, 


t- 


I 
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{ « > 

loop  L: 

P 

{ -5  ) 

repeat 

{ o V j8  } at  L , 

to  the  Invariant  at  the  end  of  the  loop  body,  we  derive  the  loop  Invariant 

{ iq  ,qq  ,r  ,rr)*{0 ,0 , 1 ,d)  V 2t  > r ) at  L,  . 

In  order  to  simplify  the  presentation  slightly,  we  shall  use  instead  the  weaker 

{ f * / V 2*r  >«)  at  L,  . (7) 

By  a similar  application  of  the  forward  loop-body  nUe  to  the  two  candidates  at  the  end  of  the 
loop  body,  we  get  the  candidates 

{7  (q  ,qq  .r  ,rr)  • {0 ,0 ,1  ,d)  V qq  i c ?)  at  L, 

and 

{T  iq  , qq  .r  .rr)  = (0 ,0 , 1 .d)  V c < qq*2’rr  ?)  at  L,  . 

Both  candidates  may  be  simplified,  since  their  first  disjunct  is  subsumed  by  their  second, 
leaving 

{'*  qq  i c , c < qq*2»rr  7)  at  L,  . 

These  two  candidates  can  indeed  be  proved  to  be  invariants:  The  first  candidate,  qq  i c , 
derived  from  the  initialization  and  than  paths,  is  unaffected  by  the  else  path  which 
leaves  the  value  of  qq  unchanged.  Similarly,  the  other  candidate,  c < qq+2’rr  , derived 
from  the  initialization  and  else  paths,  is  maintained  true  by  the  then  path.  So  we  have 
the  loop  invariants 

( qq  <c  , c < qq^2‘rr  ) at  L,  . (8) 


Since  there  are  no  assignments  between  the  loop  and  the  end  of  the  program,  all  the 
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loop  invariants  may  be  pushed  forward  unchanged,  and  hold  upon  termination.  With  the 
loop  exit  test  r s e , the  output  invariants  include 

{ rr  = dT  , qq  = d-q  , (r-I  V 2‘r>t) , 

qqsc  . c < qq+-2‘rr  , r s « ) at  . (Q) 

Note  that  we  did  not  make  any  use  of  the  candidates 

{?  j s cld  , cld  < q+e  ?)  at  £,  , 

suggested  by  the  output  speolfloatlon,  as  no  new  Invariants  would  bo  derived. 

Though  these  Invariants  do  imply  q s eld  as  specified,  they  do  not  Imply  e/d  < q+e  . In 
fact  our  program  as  given  is  incorrect.  For  a discussion  of  how  these  invariants  may  be 
used  to  guide  the  debugging  of  the  program,  see  Dershowitz  and  Manna  [1077], 


3.  Loop  Counters 

By  introducing  an  imaginary  loop  counter  n — Initialized  to  0 upon  entering  the  loop 
and  incremented  by  1 with  each  iteration  — we  may  derive  relationships  between  the 
program  variables  and  the  number  of  Iterations. 

The  extended  program  (annotated  with  some  of  the  invariants  we  have  already  found) 
is: 


P,:  begin  comment  real  division 
{ 0 s e < d , 0 <e  ) 
q 0\  qq  Oj  r l\  rr  d 
n 0 

loop  L,:  { rr  s d*r  , qq  » d»q  , {r*l  V 2>r>e) , qq  i c , c < qq+2»rr  } 
until  r s « 

if  qq+rr  s c then  q ^-t-r;  qq  qq*rr  fi 
r :•  r/2;  rr  rr/2 
n n+/ 
repeat 

£,i  { rr  « d»r  , qq  • d’q  , {r»l  V 2*r>#) , qq  i c , c < qq*2'rr  , r i e } 
end  . 


i 


1 
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Obviouafy, 

{ n € /V  ) In  P,  . (10) 

For  the  variables  r and  n , we  have  the  assignments 
(r  , n)  (/  ,0)  (r  , n)  (r/2  , n+l) 
and  we  can  apply  the  linear-relation  rule  <14> 

(x.j):-  (e,,6,)  I in  P 

{ [*«(a } In  f . 

With  this  rule  we  get  the  global  invariant 

{ [r^UI2-lh0y>Unf  • [/•(//2-/)+0]'*{//2)"  ) in  /», 
which  simplifies  to  yield 

{ r = HI"  ) In  /»,  . (11) 

Applying  the  same  rule  to 

(rr  . n)  (<i . 0)  (rr  , n)  (rr/2  , n+l)  , 
we  deduce 

{ rr-dl2”  ) in  P,  . (12) 

With  these  loop-counter  invariants,  the  total  number  of  loop  iterations  as  a function  of 
the  input  values  may  be  determined.  Using  (11),  we  can  substitute  112"  lor  r in  the 
output  Invariant  (0),  r s e A (r  • I W 2‘r  > e) , and  get 

112”  s e A (//2"  ■ / V 2/2"  > e)  . 

Taking  the  logarithm  ( < is  positive),  we  have  the  lower  bound 

-log^e  i n 

and  upper  bound 

n » 0 V n < -log^e-¥l 

on  the  number  of  loop  iterations  n . Note  that  by  finding  an  upper  bound  on  the  number  of 


f 
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iterations,  we  have  actuaiiy  proved  that  the  loop  terminates. 

Combining  both  bounds  gives  (assuming  n mO) 

-log^t  in<  . 

or,  since  n Is  an  integer  (10),  it  is  equai  to  the  one  integer  iying  between  its  lower  and 
upper  bound 

n * ■ 

Thus  we  have  the  output  invariant 

{ n»l7  V n»-[log^t]  } at  £,  . (13) 

Since  n is  the  number  of  times  the  loop  was  executed  before  termination,  we  have 
derived  the  desired  expression  for  the  time  complexity  of  the  loop. 
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IV.  EXAMPLE]  Selection-Sort  Program 


The  prevkHis  example  contained  only  one  loop  and  dealt  with  simple  variables.  As  a 
more  challenging  example,  we  annotate  an  array-manipulation  program  containing  nested 
loops.  The  program  Is  intended  to  sort  the  array  AlOin]  of  n*J  elements  A[0}  , >![/]  , 

....  A[n]  in  ascending  sequence.  The  output  specification  can  therefore  be  expressed 
as 

(V/)(0  s / < n)(y<[/]  s yf[/+/])  A perm{A[0:n]  , AXOtn]) 

where  ^<r«(/f[(7:n] . Indicates  that  ><[0:n]  is  a permutation  of  the  array 

^0  value  of  the  array  A when  the  program  is  first  entered.  The 

program  is: 

P^i  begin  comment  stlteilon  sort 
Bj:  { a € Af  > 
i 0 

loop  L,:  ( ...  } 
until  tin 
P,i  begin 

j Uh  m :■  Ali]i  k i 
loop  L,i  { ...  ) 
until  J > n 

if  A\j]  < m then  m Ayj;  k J fi 

repeat 

A[kJ  A[i];  A[i]  m;  i i+/ 

end 

repeat 

<7  (VtXO  i I < nKA[t]  s A[UI]) , ptrm(A[0in]  , AJiOm})  7) 

end  . 


1.  Assignment  Rules 


We  first  try  to  determine  the  range  of  the  program  variables.  The  variables  In  the 


I 
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program  P,  are  I , j , k , m , and  >4  ; the  inner  loop  (the  program  segment  P,  ) sets  the 
variables  j , k and  m , and  leaves  t and  A unchanged. 

The  assignments  to  i are 
i 0 Is*  1+/ 
which  by  the  addition  rule  <1> 

X a,  I x.fa,  in  P 

{ X € ) in  P 

give  the  global  invariant 

{ f e A/  } In  P,  . (1) 

Since  the  program  P,  contains  the  labels  L, , L,  and  £, , this  relation  holds  at  all  three 
points. 

The  assignments  to  j are 
Ji~UI  - 

Since  we  know  i e N , we  may  substitute  for  t to  obtain  the  nondeterministic 
assignments 

j :€  Af+/  j . 

and  by  the  set-addition  rule  <6>  we  get  J € Af+/+E/ , which  simplifies  to 

{ j€  A/,  } in  P,  . (2) 

(Recall  that  these  global  invariants  only  hold  after  j i*I  is  executed  for  the  first  time.) 
Since  within  P,  the  value  of  I is  unchanged,  It  may  ba  regarded  as  a constant.  Wa  can 
therefore  apply  the  addition  rule  to  the  assignments  to  j , J >•  M and  j i->/ , obtaining 

{ j € i*I*N  } in  P, 

and  consequently 


{ i<J  } In  P,  . 


(3) 
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The  assignments  to  it  are 
k :~i  k-.mj  . 

Using  (1)  and  (2)  to  substitute  N ior  i and  j , we  have 
k:eN  k‘.€N 

and  from  the  simple  set-union  rule  <4> 

X le  S,  I S,  In  P 
{ r € S,  U S,  ) in  P 

it  follows  that 

{ * € Af  } in  /»,  . (4) 

In  P, , as  we  have  seen,  i is  constant  and  J c M*N  , so  we  substitute  for  J in 

the  assignments  to  it  to  obtain 

it  :e  i it  :€  UhN  . 

By  the  same  set-union  rule,  we  have  that  it  belongs  to  the  union  of  I and  i+l+N  . 
Therefore  k e i+N  , and 

{ i < * } In  P,  . (6) 

Finally,  for  m we  have  the  assignments 
m m A[j]  . 

Using  ( 1 ) t e Af  and  {2)  j € N to  substitute  N for  i and  j , we  get 
m :€  A[N'\  n :e  if[Af]  . 

Thus,  by  the  set-union  rule,  we  obtain 

{me  A[N]  ) In  P,  . (6) 

In  the  following  subsections,  we  shall  apply  the  control  rules  and  heuristics  first  to  the 
inner  loop  and  then  to  the  outer  loop. 
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£.  Control  Rulaa  • Innar  Loop 

At  any  point  in  a program,  the  disjunction  of  what  is  known  from  the  paths  leading  to 
that  point  is  an  invariant.  So  we  can  obtain  loop  invariants  at  label  L, , by  considering  the 
three  paths  leading  to  L, : the  initialization  path  from  L,  to  L, , the  loop-body  path  from 
L,  to  L,  via  the  than  branch  of  the  conditional,  and  the  loop-body  path  via  the  else 
branch  of  the  conditional. 

From  the  initialization  path,  we  have  upon  entering  the  inner  loop 

i < n /\.  j = UI  A m = A[Q  A k - i . (7) 

The  conjunct  t < n derives  from  the  negation  of  the  outer-loop  exit  test  (using  the  /oop 
axiom  <20>);  the  other  three  conjuncts  are  obtained  from  the  three  assignments  along  the 
initialization  path  (by  the  assignment  axiom  <18». 

At  the  head  of  the  inner-loop  body,  we  have  the  invariant 

finAt®i,  A = A,  Ai  = f,  A*"*,  m ^ m,  , 

J L,  t,,  J L,  L, 

where  , for  some  variable  x and  label  L , denotes  the  value  of  x when  control  was 
last  at  L . The  first  conjunct  is  the  negation  of  the  exit  test  and  the  other  conjuncts, 
which  are  generated  at  L,  using  the  valvu  axiom  <33>, 

{ X = x^  } at  L , 

have  been  pushed  passed  the  exit  test  unchanged  (this  is  an  application  of  the  forward 
loop-exit  rule  <31>  to  the  inner  loop).  After  executing  the  assignments  in  the  tlien 
branch  of  the  conditional,  we  know 

jin  A m = if[/]  /^ksj^i-ii^  A - A^^  A j-j/^  • 

The  second  and  third  conjuncts  derive  from  the  assignments  (by  <18>);  all  the  other 
conjuncts  have  been  propagated  forward  (by  tha  forward  test  rule  <26>  and  forward 
assignment  rule  <21». 

After  the  (empty)  else  branch  of  the  conditional,  we  have 


k. 


\L. 
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jin  A miA[J]  A i A A • A j « A * ■ A m ■ . 

The  second  conjunct  is  the  negation  the  conditional  test  (by  the  conditlmal  axiom  <19». 
Since  we  must  have  traversed  either  the  then  or  else  branch,  we  know  that  after  the 
conditional 

{jin  A A k^j  A i • A A • A^^^  A j"j^^  ) 

V ( jsn  A ms  A[j]  A I ■ A A • Af^^ 

A j A ***|^  A m = mj^  ) 

(this  is  the  forward  branch  rule  <27».  Thus,  at  the  end  of  the  loop  body,  after  Incrementing 
j by  y , we  have  (by  <21>) 

{j-Iin  A m = if[J-/]  A A sj-i  A ^ ® ^ ® ^ ^ 

V { j-1  in  A ms  if[/-y]  i ^ A yf  » (8) 

A j-l^ji^^  A A»Aj^^  A m » m^  ) . 


Furthermore,  if  a relation  a holds  upon  entering  a loop,  and  we  know  that  the  loop 
body  either  does  not  change  the  values  of  the  variables  In  a , or  reaohlevea  a for  the 
new  values  of  the  variables,  then  « Is  a loop  invariant.  This  is  the  protected-invariant  rule 
<34> 

{ e(*)  } 
loop  Li 
P 

{ «(*)  V * ■ } 

repeat 

{ a(x)  } at  L . 

By  substituting  A for  j-1  In  the  first  disjunct  of  (8).  we  may  derive  kin  and  m « yf[A]  . 
Thus,  at  the  end  of  the  loop  body  we  know  (A  s n A m » i4[A])  V 
(A  s A,  A k » k,  A m s m,  ) . This  invariant  is  of  the  form  «(x)  V x * x,  , taking  a(x)  to 

be  A s n A m s >([A]  and  x to  be  the  variables  A , A and  m . The  first  disjunct 
indicates  that  the  then  path  achieves  a(x) ; the  second  disjunct  states  that  the  else 
path  leaves  A , A and  m unchanged.  From  invariant  (7)  preceding  the  loop,  we  can 
derive  that  initially  A s n and  m ■ i4[A]  . So  we  have 


I 
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{ ik  s n , m ■ /<[*]  ) at  L,  . (8) 

Similarly,  by  (8)  we  have  1 « loop-body  paths,  and  by  (7)  we  have  I < n upon 
entering  the  loop.  Talcing  a(0  to  be  < < n , we  get 

{ t < n } at  L,  . (10) 

! 

Disjoining  invariant  (7)  of  the  initialization  path  and  (8)  from  the  loop-body  path,  we 
get  the  following  Inner-loop  invariant  (by  the  forward  loop-body  nUt  <29»: 

I {(f<nAj»i+/Am»  AH']  A k • I ) 

j V ( J-/  < n A m = A\j-J]  A k -j-l  ) 

^ { j-I  < n f\  m i A[J-l]  ) } at  L,  . (11) 

(The  conjuncts  refering  to  the  previous  value  of  a variable  at  L,  have  been  removed.) 

Now  we  extract  the  "common  denominator"  of  the  disjuncts  in  (11)  arising  from  the 
different  paths.  The  relation  J-l  i n appears  in  the  second  two  disjuncts  and  is  implied 
by  the  two  conjuncts  i<n  and  j ■ 1*1  of  the  first  disjunct,  so  we  get  the  Invariant 

{ j-Hn  ) at  L,  . (12) 

In  the  first  disjunct  of  (11)  wo  have  j = f+f  A m « ><[0  , In  the  second  we  have 
m » AH-J]  , while  in  the  third  we  have  m s A[J-l]  . thus  for  all  paths 

{ms  A[J-I]  } at  L,  . (13) 

3.  Generalization  Heuristic  - Inner  Loop 

The  following  generalization  heuristic  <37>  is  particularly  valuable  for  loops  involving 
arrays: 


r 
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{ r .a  > 

loop  Li  { a(jc  ,y)  > 

P 

{ } 

repeat 

{?  i I i x)a(l  ,y)  7)  at  L . 

This  heuristic  is  simiiar  to  the  forall  rult  <35>,  but  oniy  suggests  a candidate,  since  the 
variabie  y may  change  vaiue  in  P.  in  our  case,  reconsider  the  inner>loop  invarlent  ( 1 3) 
a(j  ,m)  : ms  /<[;-/]  at  L, . initiaiiy  j is  i+I , and  at  the  end  of  the  ioop  body  j , 

so,  as  an  invariant  candidate,  we  try 

{?  (V/)(i+/ < / sjKrn  S /f[M3)  7}  at  L,  , 

which  we  shaii  abbreviate  as  m ^ • Checking  the  candidate  for  the  then  and 

else  paths,  determines  that  it  is  in  fact  an  invariant,  and  we  have  for  the  inner  loop 

{ms  Altij-I]  ) at  L,  . (14) 

So  far  we  have  derived  the  foilowtng  inner-loop  invarlenta 

{ k sn  , m ■ 4[*] , i <n  , j-I  in  , mi  Alitj-l]  ) at  L,  . 

We  turn  now  to  consider  the  outer  ioop. 

4.  Control  Rules  - Outer  Loop 

Using  the  forward  loop-exit  rule  <31>,  the  invariants  at  L,  may  be  propagated  past 
the  exit  test  j > n , obtaining 

{ k < n , m * ^[*]  , i < n , j-1  sn  , m S , J > n } 

just  prior  to  the  assignments 

yf[*]  yf[t];  A[i]  :»  m;  i i+f  . 
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Propagating  these  invariants  past  the  assignments,  we  get  the  foiiowing  invariants  at  the 
end  of  the  outer-ioop  body: 

{kin,  an  , mi  Alitj-l}  , m ■ Ali-t]  , J-I  • n ) . (16) 

^ The  Invariant  it  s n ia  propagated  unchanged.  The  invariant  i < n becomes  1-1  < n after 

executing  t i+l  (by  the  forward  asslgnmtnt  rult  <£l»i  which  la  equivalent  to  ( s n 
(since  both  i and  n are  integers).  The  Invariant  m i A[ltj-I]  still  holds  after  assigning 
to  Aik]  , since  it  also  held  for  AH]  ; after  the  assignment  to  A[i]  , It  becomes 
m s A[i->-ItJ-l]  (by  the  forward  array-assignmmt  rult  <23>);  after  incrementing  i , it 
becomes  m s A[i:j-1]  . The  assignment  A[i]  m generates  the  invariant  m • A[i\  (by 
the  axiom  <18»,  which  becomes  m = All-I]  after  incrementing  i.  Finally,  the 

invariants  j-I  s n and  j > n simplify  to  J-1  ■ n (since  (2)  _/  e Af  ). 

Clearly  upon  entering  the  outer  loop  (by  <18» 
i‘0  . 

Thus,  by  the  forward  loop-body  rult  <29>,  we  have  the  outer-loop  invariant 

{ i - 0 V (isnAfinAms  AHtj-l]  A m = AH-I]  f\j-l  * n)  ) at  L, 
with  the  following  two  corollaries: 

{ i « 0 V yf[t-/]  s i4[f m]  ) at  L,  (16) 

(the  second  disjunct  follows  from  m i Alitj-l]  , m = Ali-l]  and  j-1  = n ),  and 

{ i ^ n ) at  L,  (17) 

(since  i = 0 \s  subsumed  by  i in  for  n £ N ).  If  we  use  the  forward  loop-txit  rult  <31> 
to  push  t i n past  the  exit  test  i i n and  out  of  the  loop,  we  get  the  output  Invariant 
i i n A i 2 n at  £, , or, 

{ i = n ) at  . (18) 


6.  Heuristics  - Outer  Loop 

We  use  the  gtntralization  hturistic  <.‘37>  to  generalize  (16)  for  the  counter  i , where 
ad  , A)  is  i *0  M /f[i-/]  i A[iin] . Since  i is  initially  0 , this  yields  the  candidate 
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{7  (V/)(0  s I i iW  » 0 V ><[/-/]  s i<[/:n])  7)  at  L,  . 

This  is  equivaient  to 

{7  (V/)(0  s / < S i<[/+/:n])  7>  at  L, 

and  states,  In  effect,  that  the  array  elements  A[P'.l~l']  are  sorted  and  that  they  are  all 
smaller  than  the  array  elements  A[iin]  . It  can  be  shown  that  It  does  Indeed  remain 
invariant,  so  we  have  the  outer-loop  invariant 

{ (V0(0  s /<«)(/<[/]  s 4/+;in])  ) at  L,  . (19) 

This  may  be  pushed  out  of  the  loop  to  £, , and  with  (18),  i.e.,  i ^ n at  £, , implies  the  first 
conjunct  of  the  output  specification, 

(W)(0  ^ I < n )(/![/]  ^ /<[/+;])  . 

The  top-down  heuristic  <38>  suggests  that  the  output  specification 
perm^AlPtn"]  , Aj[Oin'])  , which  is  obviously  true  initially,  is  itself  a candidate  at  L, . Since 
it  can  be  shown  that  the  only  two  assignments  to  A have  the  effect  of  exchanging  the 
values  of  /4[it]  and  /<[(]  , we  have  the  invariant 

{ permiAlOtn]  , AJiOin])  } at  L,  . (20) 


is: 


The  program,  annotated  with  some  of  the  more  important  loop  and  output  assertions. 
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P^i  befin  conunent  stUetion  sort 
B,j  { neN  } 
i 0 

loop  L,i  {lew.  i s n . (W)(0  i I < <)(.<[/]  s A\ltn^) . 

ptrm{A[0tn] , AJiOm'])  > 

until  i i n 
P,t  begin 

j i*Ii  n y<[0i  k I 

loop  L^t  { i ,j  ,k  € N , i<n,  i<jin*I , i i ksn  , 

m ■ Aik"]  , m s A[UJ-JJ  ) 

until  j>  n 

if  Alf]  < m then  m AfJ]{  k :~J  fi 
j 

repeat 

^[A]  /<[<])  AH]  :>  m;  i >-  M 

end 
repeat 

Eft  { i~ri,  (V/)((?  i I < 0(/4[/]  i AiUIin])  , perm(A[P:n]  . AJfixn])  ) 
end  . 


To  determine  the  time  complexity  of  this  program,  we  add  three  counters:  one  for  the  outer 
loop,  one  for  the  inner  loop,  and  a third  to  sum  the  total  number  of  Inner-loop  executions. 
Using  the  annotation  rules,  one  can  easily  show  that  the  outer  loop  Is  Iterated  n times, 
that  the  inner  loop  is  executed  n-i  times  for  each  outer-loop  iteration,  and  that  the  total 
number  of  Inner-loop  executions  Is  n'ln-i-l)l2  . 
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APPENDIX 


In  this  appendix  we  present  a catalog  of  annotation  rules.  We  use  the  following 
conventions: 

P , P'  and  P"  denote  program  segments; 

L , U and  L"  are  statement  labels; 
a , 0 , y and  6 denote  predicates; 

X , y and  z are  variables; 

a , and  are  expressions  which  are  constant  In  the  given  program  segment; 
u and  V are  arbitrary  expressions; 

N denotes  the  set  of  natural  numbers  and  I the  set  of  all  Integers. 


1.  Assignment  Rules 


• Ran^e  rules 


< 1 > addition  rule 

X :•  I x+o,  I x+Oj  | . . . in  P 

{ X € a^-¥a^’N*a^*N-¥  ...  } in  P 

<2>  multiplication  rule 

x>  1 x»e,  I yg,  | . . . In  P 

{ X e . . . ) in  P 

<3>  exponentiation  rule 

X I x**!  I x®»  I ...  in  P 

{ X € a • • • ) in  P 
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• Set  essiAnment  rules 

X :e  5 refers  to  an  assignment  x :>  u where  it  Is  known  that  u c 5 ; 

is  the  closure  of  the  set  5 under  -f  ; 
ns  is  the  closure  of  the  set  S under  * ; 


<4> 

set-union  rule 

X.€  Jj  S,  1 J,  1 ... 

In  P 

{ X € 5,  U S,  U S,  U ... 

} \n  P 

<6> 

set-addition  rule 

X ;€  S,  1 x+S,  1 x+S,  1 

...  in  P 

{ X e S,+rs,+SS,+  ...  } 

in  P 

<6> 

set-multiplication  rule 

X :€  S,  1 X‘S,  1 X‘S,  1 

...  in  P 

{ X € . . . ) 

In  P 

<7> 

set-exponentiation  rule 

X !-  S,  1 X^l  1 X^f  1 . . 

In  P 

{ X e 5 n5,*ns, ...  y In  p 


• Counter  relation  rules 
n is  an  integer  variable; 
is  an  integer; 

v(n)  is  an  expression  containing  the  one  variable  n . 


<3>  addition-counter  rule 

(x  , n)  (a, , n,)  1 (x+»(n) , n+/)  In  P 

{ X = ) in  /» 

<9>  multiplication-counter  rule 

(x  , n)  (a, , n,)  | (x*»(n) , n+/)  In  P 

{ * * > In  /> 

0 


* 


J 
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<10>  exponentiation-counttr  rule 

(x  , n)  (a, , n,)  | (x"^”^ , n+/)  in  P 

{ X « ) ,in  P 


• Basic  relation  rules 

< 1 1 > addition-relation  rule 

(x  , y)  (a, , b^)  I (x+a,»u  , y+6,‘U)  | (x+o,*»  , y+b,*v)  | . . . In  P 
{ a,*(j)-6„)  = fr,*(x-Oj)  } in  P 

<12>  multiplication-relation  rule 

(x  , y)  (Op , bj  I (x'U^i  . yu^i)  | (x-iPi , yt^,)  | . . . in  P 

{ ) in  P 

<13>  exponentiation-relation  rule 

ix.y).’  (a^,b^)  I (x«i“,/i“)  1 (x**!*',/.*')  I ...  In  P 

• Assorted  relation  rules 

<14>  linear-relation  rule 

(*  , y) (o„ , 6,)  I (a,*x+o, , b,>y*b^)  In  P 

j*c^  ) In  P to^en  b,  • I 

i [x-(a ■ 

[a„-(c ) in  P otherwise 

<16>  quadratic  rule 

(x.y):-  (c,  ,6„)  I (x+o,  ,j)+*,*x+6,)  in  P 
{ » (x-«,)*[t,*(x-o,-o,)+2*a,4,]  ) in  P 
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<16>  factorial  rul* 

(*,>):-  (o,-o,.*,)  I (x+o,,y**4,)  In  P 

{ ya,l  ■ 6,*(a,4,)*^*i“***(x/«,)l  ) In  P 
<17>  multiplication-exponentiation  rule 

(x,y):~  (a,.6,)  I (x»a,“./“)  | (x»o,".3l^"  I 

{ • [log(y)/log(t^y^f(^i>  } In  P 


In  P 


t.  CmtrelliulM 


• Control  axioms 


<18>  assignment  axiom 
X :•  a 
{ *■«  ) 

<19>  conditional  axiom 

if  t then  { t } i P' 
alia  { -O  » 
fi 

<20>  loop  axiom 

loop  P' 

until  t 

{ ) 

p,f 

rapaat 

{ f } 


1 
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• Assignment  control  rules 
A is  an  array  variable; 

the  array  function  assign(A  . y , g)  yields  , with  z replacing  A[y]  . 


<21>  forward  assignment  rule 
{ «(x  ,y)  } 

X fix  . y) 

Li 


{?  y(*,y)  7) 
X fix  ,y) 

Li 


{ > at  L {?  'fir{x.y).y)  7)  at  L 

wiiere  f is  the  inverse  of  the  function  / in  the  first  argument,  l.e.,  f~(flx  ,y)  ,y)  s x . 


{ a(u  ,y)  } 
X u 
Li 


{?  y{u,y)  7> 
X u 
Li 


{ a(x  .y)  ) at  L 

where  x does  not  appear  In  «(/ , y)  or  fU , y) . 


{?  7(x,y)  7}  at  L 


<22>  backward  assignment  rule 
Li 

X u 

{ lS(x,>)  ) 


Li 

X u 

{?  «(x.>)  7} 


{ ,>)  } at  L 


{7  Hu.y)  7)  at  L 


<23>  forxuard  array-assignment  rule 
{ a{A  . z)  } 

Li 


{?  y{A  . z)  ?> 
Aly]  :~f(.A[y'i,z) 
Li 


{ a(assign(A  . y . *» . z)  > at  L {7  7(assign(A  , y ,y^(A[y] . z)) , z)  7}  at  L 

where  /"(/(i^Cy]  , z) , z)  « . 


<24>  backward  array-assignment  rule 
Li 

A[y]  V 
{ 0(A  . z)  > 


Li 

A[y'i  w 
{?  6(A,z)  7} 


{ UlassignlA  .y  ,v),z)  } at  L 


{7  , y , v) , z)  7}  at  L 
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• Conditional  control  rules 

<26>  forward  test  rule 

{ « } 

{7  y 

7} 

if  t then  L't  i P' 

if  t 

than 

L':  5 P' 

else  L":  ; P" 

else 

L"t  } P 

{ a,  t } at  L' 

{ a,  -t  > at  U 


{7  y 7}  at  L'  and  L' 


<26>  backward  test  rule 
Li 

if  t then  { a } ; /*' 
else  { 0 );  P" 
f 


if  t then  {7  y 7}  i P 
alaa  {7  « 7}  j P' 


{ t Dtt , -t  D 0 } at  L 

{7  toy . 

-/  3 < 7}  at  L 

<27>  forward  branch  rule 

if  t then  P'  ; { a } 

if  t then 

P'  ; {7  Y 7) 

else  P"  ;{  0 } 

else 

P"  J {7  « 7) 

{ a V jS  } at  L 

{7  y Wh  7) 

at  L 

<28>  backward  branch  rule 

if  t then  P'  ; 

Vi 

if  t then 

P'  1 L't 

else  P"  1 

U'l 

else 

P"  ; L"x 

{ <J  > at  L'  and  L" 

{7  i 7}  at  L'  and  V 

• Loop  control  rules 

<2g>  forward  loop-body  rule 

{ « > 

<7  Y 7) 

loop  Li 

loop  Li 

P 

P 

{ n ) 

{7  h 7} 

repeat 

repeat 

( a V0  ) at  L 


{7  Y V • 7)  at  L 


i 
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<30>  backward  loop-body  rtUt 
L't 

loop  { } 

P 

L": 

repeat 

{ B ) at  U and  U* 

<31>  forward  loop-exit  rule 
loop  P’ 

{ « > 

until  t 

' L't 

pf> 

repeat 

£2 

{«,->/}  aX.  U 
{ « , / ) at  L" 

<32>  backward  loop-exit  rale 
loop  P' 

Lt 

until  t 

{ « ) 

pn 

repeat 

{ B } 

{ -t  :>«t . t oB  ) atL 


L't 

loop  (7  I 7) 

P 

L"t 

repeat 

{7  I 7)  at  L'  and  L" 

loop  P' 

{?  7 7) 
until  t 
L't 
P" 

repeat 

L"t 

{7  7 7)  at  L'  and  L" 


loop  P' 

Lt 

until  t 
(7  7 7) 

P" 

repeat 

(7  * 7) 

{?  D 7 . O 4 7)  at  L 


• Value  rules 

Xf  denotes  the  value  of  the  variabfe  x when  control  was  last  at  label  L 

<33>  value  axiom 

{ * ■ ^ 

An  invariant  containing  may  not  be  pushed  over  the  label  L . 
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<34>  prottcud-invariant  rult 

{ «(*)  ) 
loop  Lx 
P 

{ «(*)  V * ■ } 

repeat 

{ e(*)  ) at  L 

where  x is  the  only  variable  In  « . 

<36>  forall  rule 

{ X - a , X € I } 

loop  Ls  { a(x)  ) 

P 

{ > 

repeat 

{ (V/  e /)(o  s I s x)ctU)  ) at  L 
where  x Is  the  only  variable  in  a . 


a.  KavxiatleJIvlaf 


<36>  disjunction  heuristic 

if  t then  P'  i i ct  } 
else  P"  i { ft  } 
fi 

U 

{7  a . 7)  at  L 


<37>  generalization  heuristic 
{*=0,*€/) 
loop  Li  { a(x , y)  ) 

P 

( } 

repeat  

{7  (V/e/)(al/^x)a«,jr)  7)  at  L 


t 
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<38>  top-down  hturlstie 

{ > } 

loop  P' 

L: 

until  t 

pn 

repeat 

{?  y 7} 


{7  7 7)  at  L 


• Dangerous  heuristics  - To  be  applied  with  caution 

<39>  or  heuristic  (applied  in  conjunction  with  the  forward  branch  rule) 

{ a V fi  } at  L 

{7  a,  0 7}  at  L 

<40>  strengthening  heuristic  (applied  in  conjunction  with  the  top-down  heuristic) 
{ •(*)  } and  {7  y(*)  7)  at  L 

{7  (Vx)(e(x)  D y(*))  7}  at  L 

<41>  transitivity  heuristic  (applied  in  conjunction  with  the  top-down  heurtetio) 

{ uRv  } and  {7  uRw  7)  at  L 

{7  vRw  V » » w 7)  at  L 
where  R is  a transitive  relation. 
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relationships  that  hold  between  program  variables  at  intermediate  points  in  the  pro- 
gram, and  explains  the  actual  workings  of  the  prot;rain  regardless  of  whether  the  pro- 
gram is  correct.  Thus  this  documentation  can  be  tsed  for  proving  the  correctness  of 
the  program,  or  may  serve  as  an  aid  in  the  debugging  of  an  incorrect  program. 

The  annotation  techniques  are  forraulated  as  Jfoare-like  inference  rules  which 
derive  invariants  from  the  assignment  statements,  from  the  control  structure  of  the 
program,  or,  heuristically,  from  suggested  invariants.  The  application  of  these  rules 
is  daronstrated  by  two  examples  which  have  run  on  our  implemented  system. 
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